Management and Storage of Sensitive Information UH Information Security Team (InfoSec)
Who Are We? UH Information Security Team Jodi Ito - Information Security Officer Deanna Pasternak & Taylor Summers Information Security Specialists INFOSEC@HAWAII.EDU 2
What Do We Do? Support the system-wide information security program Provide oversight of IT security issues and concerns Ensure compliance with policies Perform security audits and risk assessments Initiate and monitor the protection of sensitive information Review and revise Security Policies Implement mandatory Information Security Training Support the automatic monitoring of network and technology resources 3
National Cyber Security Awareness Month (NCSAM) History Started in 2004 Sponsored by the National Cyber Security Division (NCSD) within the Department of Homeland Security and the National Cyber Security Alliance (NCSA) 4
Cyber Security Awareness Month The National Cyber Security Alliance (NCSA) Initiated Cyber Security Month To: Raise awareness about cyber security and online safety precautions Protect our national digital infrastructure Help prevent fraud and identity theft 5
Examples of Cyber Attacks Flame Kaspersky dubbed it the most powerful computer virus in history. Primary target was Iran. Has the ability to steal audio, screen capture, transmit visual data, data behind input boxes (passwords), scan local Bluetooth devices. Stuxnet A computer worm that destroyed centrifuges at the heart of Iran s nuclear program. Slammer/Sapphire Worm infected 200,000+ Microsoft SQL servers world wide with a denial of service attack. Infecting 75,000 in the first 10 minutes. Disrupting Internet services and some business processes. January 24, 2003 6
Yet Another Variant http://mashable.com/2012/08/09/gauss-virus/ 7
STOP THINK CONNECT 8
Be Cyber Smart In conjunction with the STOP.THINK.CONNECT campaign InfoSec brings you R U Cyber S.M.A.R.T. 9
UH Awareness Campaign for Cyber Security Month What s in it for the UH community? Prevent future breaches Safeguard sensitive information Educate the UH community on safe personal computing practices Be Cyber S.M.A.R.T 10
R U - S.M.A.R.T. Identified five topics for the five weeks in October Secure Information Destruction Management and Storage of Sensitive Information Avoid Identity Theft Responsible Computing Practices Think Before You Click 11
What Will We Cover? Laws related to sensitive information Storage of sensitive information Where to keep it Where not to keep it Management of sensitive information How to safely transfer to others Encryption Sensitive information best practices Posting sensitive information online 12
Secure Information Destruction Review Keep paper locked up until you shred it Shred sensitive information on paper, DVD s Physically destroy media Securely delete both internal and external hard drives Slides available at http://www.hawaii.edu/infosec/ncsam.html. Rebroadcast available soon 13
Document Retention University of Hawai i A8.450 Records Management Policy www.hawaii.edu/svpa/apm/recmgmt/a8450.pdf One Objective: To eliminate the maintenance of unnecessary copies of records Personal records retention www.shredit.com 14
UH is sponsoring another ewaste Disposal Days in October Check the website for days and times 15
What is Sensitive Information? Information is considered sensitive if it can be used to cause an adverse effect on the organization or individual if disclosed to unauthorized individuals Some examples are: Social Security Numbers, Student records, Health information, Drivers license numbers, credit card numbers, dates of birth, job applicant records, etc. State, Federal and Regulatory requirements provide standards for protecting sensitive information UH Policy E2.214 has a detailed description of Sensitive information http://www.hawaii.edu/apis/ep/e2/e2214.pdf 16
Know What to Protect A partial list of data considered sensitive as outlined in UH Policy E2.214 Student records (FERPA) Health information (HIPAA) Personal financial information Social Security Numbers Dates of birth Access codes, passwords and PINs Answers to "security questions" Confidential salary information 17
Many Laws - Similar Requirements FERPA, HIPAA, PCI-DSS, HRS-487, ITAR Protect the Confidentiality, Integrity, and Availability of Sensitive Information Safeguards include Access controls to limit access to persons with a need to know Encrypt data at rest & in transit Auditing/Logging access & modifications Develop Policies and Procedures Conduct Training ITAR restrictions on the export of research data 18
19
Where is Data Stored? 20
Protect Sensitive Information The best way is to: Be aware Know what to protect Know how to protect it Know how it is being used 21
Be Aware Know where your information is stored Know what others are using your information for privacy rights Know the laws protecting information 22
Your Privacy Rights There are several Federal and State laws that require businesses to provide their clients with an annual notice on what personal information is collected and how it is used Notices are also posted on websites and require you to acknowledge you agree before you are given access to their product 23
Read the Privacy Statement 24
The Allegations Against Google Are: Those litigants claim Google violated its previous policies that promised information provided by a user for one service would not be used by another service without the consumer's consent. The company is accused not only of combining the information but also of not providing an easy and efficient way for consumers to opt out. It allegedly violated the American Federal Wiretap Act (for willfully intercepting communications and aggregating personal information for financial benefit), breached the Stored Electronic Communications Act (for the way it accessed consumer communications stored on its systems), violated the Computer Fraud Abuse Act, and transgressed other statutes and state laws. http://www.vancouversun.com/technology/google+legal+troubles+underscore+vul 25
Read Before You Click Before you click Accept Terms of Agreement Read what you are agreeing to They may be sharing your information http://news.cnet.com/8301-1023_3-57524073-93/facebook-wants-like-button-to-be-exempt-from-childprivacy-laws/ 26
How to Protect Information Know where it is stored Safeguard it with physical security Encrypt it Use programs to store passwords securely Use password protection Redact it Delete it securely wipe it 27
Scan Your Computer Identity Finder Windows and Macs Download at www.hawaii.edu/software How to use: www.hawaii.edu/askus/1297 Find SSN Linux, Solaris and Legacy OS www.hawaii.edu/askus/1323 Scan for vulnerabilities Scan a single machine: http://openvas.hawaii.edu/cgi-bin/myopenvas Batch scan: http://openvas.hawaii.edu/batchopenvas/index.php 28
Register Any Servers Containing Sensitive Information All public file, web, and ftp servers must be registered & scanned for sensitive, personal information and vulnerabilities. http://www.hawaii.edu/its/server/registration/ The UH Personal Information System survey is designed to identify ALL personal information systems in the University of Hawaii as required by Hawaii State Law. http://www.hawaii.edu/its/information/survey/ 29
What Does An Encrypted File Look Like? 30
Encryption Encrypting a Windows file, folder, and entire disk http://www.hawaii.edu/askus/1285 Encrypted disk images and full disk encryption for a Mac http://www.hawaii.edu/askus/676 31
DO NOT LOSE YOUR ENCRYPTION KEY When using encryption be careful to safeguard your encryption key. If lost ITS may not even be able to help you recover your data. 32
Ways To Securely Transfer Sensitive Information 33
Secure File Transfer www.hawaii.edu/filedrop Secure file transfer up to 800MB Can share with people not part of UH community Secure URL is available for five days Security ends at transmission, you will still need to secure information on your computer. 34
Secure Shell (SSH) What is SSH? Secure channel that encrypts information such as passwords over the internet Do not use telnet Passwords are sent in the clear making them vulnerable to cyber crime 35
Secure Socket Layer (SSL) What is SSL? A protocol that establishes an encrypted link between a web server and a browser ensuring all data passed between the web server and browsers remain private In other words: keeps your data safe 36
How do I Know the Link is Secure? Look for the https:// (the S means it is encrypted) And/Or a padlock Why is it important? The S or the padlock means: That you have a secure (encrypted) link with this web site That this web site is a valid and legitimate organization or an accountable legal entity 37
Do Not Use The Following To Transfer Sensitive Information Unencrypted Email Third party cloud applications such as Dropbox Google Drive Unsecured USB drives or other external devices 38
Where Should Sensitive Info Be Stored? Encrypted folders, partitions, or drives Secured servers Encrypted external drives Secure applications Locked file cabinets 39
Where Not To Store Sensitive Information Your email Unsecured paper files Your hard drive unencrypted Social networking sites 40
Know How it is Being Used Who has your information and how are they using it? The Bank Credit Card Companies The University Social Media Health Care Malicious Information Gathering 41
Penalty Minimum 10 years in jail, $250,000 fine or BOTH 42
35,000 e-mail addresses, thousands of user names, and other information compromised. http://www.vancouversun.com/technology/googles+legal+troubles+underscore+vulnerability+privacy+rights/734 43
So What? Following policies and laws to protect sensitive information will not only protect the consumer, but it protects you from possible disciplinary action as stated in the University of Hawai i General Confidentiality Notice UH Form 92 44
Securing Your Password Password keepers http://keepass.info/ Do not store on your monitor or under keyboard Use something easy to remember but hard to guess Follow password generation guidelines CAPITALS lowercase Numb3r5 $ymbols 45
46
The Cloud The Cloud is not secure Do not store information in the cloud unless it is encrypted 47
Keep Sensitive Information Secure From Social Engineers Verify callers Do not respond to email scams, phishing, or suspicious phone calls requesting confidential UH information or your own personal information. Remember ITS will NEVER ask for your password over email. 48
Don t Fall For This More on Phishing on Week 5 49
50
Back-Up? Regularly backing up your data is critical in case of a computer problem BUT Store your backup in a safe place Preferably in a different location than the host data And secure it - lock it up, encrypt it Regularly verify the backup can be restored 51
52
Key Points to Remember Handle sensitive information responsibly Protect sensitive information in paper form, electronic data at rest and in transit Follow policy if in doubt ask Bad things can happen if you do not Think Before You Click 53
How Do I Get itunes? To be eligible for the weekly $15 itunes cards drawing you must: Attend or watch a rebroadcast of this presentation Have a Facebook Account Like our page at www.facebook.com/uhinfosec Answer the Security Question of the Week for October correctly (will be posted after this session ends) You will then be added to the drawing for an itunes card I will contact you directly if you are the winner for delivery To be entered to win the $25 gift card at the end of October, you must sign up for a session at www.hawaii.edu/training (no Facebook account required) 54
More Prizes Register or sign in on-line (www.hawaii.edu/training) to be eligible for a drawing each week for a UH Manoa Bookstore donated prize. Prizes will be mailed to outer island winners. 55
For More Information Visit the Cyber Security Month (NSCAM) website Link to all presentations (posted soon) Link to FTC materials Posters Cyber security brochure Think. Stop. Connect. brochures 56
http://www.hawaii.edu/infosec/ncsam.html 57
http://www.hawaii.edu/infosec 58
Email us at: infosec@hawaii.edu Visit us at: www.hawaii.edu/infosec Like us on Facebook: www.facebook.com/uhinfosec Follow us on Twitter: www.twitter.com/itsecurityuh 59